TL;DR: Ransomware recovery often fails first at identity, with more than 78% of human-operated attacks involving domain controller breaches and typical downtime measured in 22 days, according to Commvault. The practical lesson is that data recovery without clean AD and Entra ID restoration leaves organisations locked out of their own environment.
NHIMG editorial — based on content published by Commvault: ransomware resilience and identity recovery for Active Directory and Entra ID
By the numbers:
- 78% of human-operated ransomware attacks involve domain controller, controller breaches.
- Average ransomware downtime: 22 days.
Questions worth separating out
Q: What breaks when Active Directory is unavailable during a ransomware recovery?
A: Authentication, authorisation, and trust restoration break first.
Q: Why do identity systems make ransomware recovery harder?
A: Identity systems define who can access what, and ransomware often targets that control plane directly.
Q: How do organisations know if their identity recovery plan is actually working?
A: The strongest signal is whether authentication can be restored from clean backups without reintroducing malicious changes or broken trust relationships.
Practitioner guidance
- Inventory identity recovery dependencies Map every service, application, device, and privilege path that depends on Active Directory or Entra ID before defining recovery priorities.
- Maintain isolated, immutable identity backups Store clean copies of directory state, configuration, and cloud identity policy in an air-gapped or otherwise isolated location.
- Run full-forest recovery drills Exercise complete AD recovery scenarios, not just file restores, and include Entra ID restoration in hybrid environments.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The article lays out the full hurricane-to-ransomware analogy used to structure the resilience argument.
- It includes the complete assess, protect, isolate, recover, evolve blueprint for identity recovery planning.
- It describes Commvault's full forest recovery and Entra ID protection workflow in more implementation detail.
- It expands the FAQ with recovery sequencing guidance for AD, cloud identity, and trust restoration.
👉 Read Commvault's analysis of ransomware resilience for Active Directory and Entra ID →
Active Directory and Entra ID recovery: are your identity controls ready?
Explore further
Identity resilience is now a business continuity control, not just an IAM concern. The article is correct to treat identity loss as the point where ransomware turns from disruption into lockout. When Active Directory or Entra ID fails, the organisation loses the ability to authenticate, authorise, and trust its own systems. Practitioners should stop treating identity restoration as an adjacent recovery task and treat it as part of resilience design.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many recovery plans cannot verify which non-human identities remain active after an incident.
A question worth separating out:
Q: Who is accountable for restoring identity after a ransomware incident?
A: Accountability usually spans IAM, infrastructure, security operations, and disaster recovery leadership because identity restoration sits across all four domains. The owning team should be defined before an incident, with clear runbooks for directory recovery, privileged access validation, and cloud identity synchronisation. Without that ownership, recovery becomes fragmented and slow.
👉 Read our full editorial: Identity resilience for ransomware depends on AD and Entra recovery